Posted by media on April 26, 2017 at 9:00 AM
The Internet and the consequent emergence of new technologies has led to the emergence of new forms of crimes and breaches of norms that we couldn’t have expected only a decade ago. Therefore, it has been necessary to adapt the different laws that exist, in order to regulate and protect citizens and companies from all these cyber attacks as much as possible. New rules and protocols to regulate those new situations, not foreseen until now in the offline world, have also been established.
In this guest post from Vanesa Alarcón, IT Lawyer and Founding Partner of Avatic Abogados, we will talk about the Spanish and European laws that are putting order in cyberspace, trying to put a stop to the new generations of cybercriminals.
This post is also available in Spanish.
Before talking about the rules that apply to cybersecurity in Spain and in the EU, first we must define what this word means. According to the dictionary from the National Initiative for Cybersecurity Careers and Studies (NICCS) in the United States, whose website is owned by the Department of Homeland Security, cybersecurity is “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”
That means, that cybersecurity comprises of those measures designed to protect users and companies that operate in the Internet. In reality, cybersecurity is part of a broader concept called information security, which aims to protect the digital information from systems that are interconnected.
There are other concepts related to cybersecurity, such as cybercrime, cyber threats or cyberspace, whose main and common feature lies in their existence in the network. Therefore:
In short, cybersecurity is intended to protect us against attacks or illegal actions of third parties in the Internet.
An illicit action could be anything from an online scam, the introduction of a computer virus into the computers in a certain company, stealing account information and/or passwords from users on a certain platform, publish lies about someone or even impersonation or identity theft.
Therefore, cybersecurity covers many subjects related to criminal and civil law, and the protection of honor or privacy, among others, that are also applied in the real and physical world. What has to be taken into account is the online dimension in which these illicit or illegal actions are produced, and the resulting impact due to the fact of occurring in the digital world.
Cybersecurity is composed of a compendium of rules, since there is no single rule that regulates everything.
There is a recent European Directive, the Directive 2016/1148, related to the measures created to ensure a higher level of security in the EU’s information networks and systems.
This Directive provides a couple of articles related with the security of networks and information systems for essential service operators and for digital service providers.
Thus, Article 14 states that “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed.”
That means that member states shall ensure that measures adequate or proportionate to the risk involved are fulfilled. They also must take measures to minimize, reduce or prevent incidences that affect security.
Likewise, member states should also notify without any delay to the appropriate authority or to the CSIRT (Computer Security Incident Response Teams) incidents that have a significant effect on the continuity of essential services that they provide, so that action can be taken, either institutionally or nationally, depending on the case.
Article 16 also establishes the member state’s duty for ensuring that digital service providers to identify and adopt proportionate technical and organizational security measures to manage the existing risks posed to the security of network and information systems that they use. To do so, they must adopt measures regarding the security of systems and installations, incident management, managing continued activities, supervision, audits, tests and complying with international standards.
In Spain there is a Code for the Cybersecurity Law, published in the Official State Bulletin (BOE - Boletin Oficial del Estado), which states the main rules to be taken into account regarding the protection of cyberspace and to ensure the aforementioned cybersecurity.
This code references the following laws, among others:
As you can see, there is a very complex network that aims to regulate many different situations that can happen on the Internet.
Regarding cybersecurity at a technical and organizational level, it is also necessary to take into account the new European Data Protection Regulation - Regulation (EU) 2016/679; as well as the existence of other types of international protocols or rules, especially those related to the international transfer of data, such as the Privacy Shield.
These are just some of the rules that aim to protect cyberspace, but there are many more detailed ones that regulate even more specific aspects.
For example, the rules that must be taken into account when committing a criminal act related to impersonating a brand or company, the unlawful use of it or the infringement of creations from authors protected by intellectual property. In these cases, in addition to the rules that appear in the Spanish code mentioned before, it is also necessary to take into account the trademark law or the regulations on intellectual and industrial property, as it corresponds.
Cybersecurity can therefore be broken not only by the commission or omission of certain acts that have to do with security in itself, but sometimes the right of a third party can also be affected by taking advantage of acts that go specifically against the security of a network.
This post is also available in Spanish.
This is a guest post by Vanesa Alarcón Caparrós
Vanesa is a specialised lawyer in new technologies and intellectual property, and a founding member of Avatic Abogados.
Este es un post invitado de Vanesa Alarcón Caparrós.
Sign up for our Newsletter
Subscribe to our newsletter
Digitizing your company with Signaturit is very easy. Sign up for our newsletter and receive 1 email a month with tips, events and product updates.